CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,700)

page 1032 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2011-1396	IBM Maximo Asset Management	—	0.00	Mar 13, 2012	Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the reportType parameter to an unspecified component.
CVE-2011-1395	IBM Maximo Asset Management	—	0.00	Mar 13, 2012	Cross-site scripting (XSS) vulnerability in imicon.jsp in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the controlid parameter.
CVE-2012-0325	Jenkins Project Jenkins	—	0.00	Mar 9, 2012	Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different…
CVE-2012-0324	Jenkins Project Jenkins	—	0.00	Mar 9, 2012	Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different…
CVE-2012-0323	Paul Lesniewsk Autocomplete	—	0.00	Mar 9, 2012	Cross-site scripting (XSS) vulnerability in the Autocomplete plugin before 3.0 for SquirrelMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3046	OpenSUSE openSUSE	—	0.02	Mar 9, 2012	The extension subsystem in Google Chrome before 17.0.963.78 does not properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a "Universal XSS (UXSS)" issue.
CVE-2012-0590	Apple Inc. Iphone Os	—	0.01	Mar 8, 2012	Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a drag-and-drop operation.
CVE-2012-0589	Apple Inc. Webkit	—	0.01	Mar 8, 2012	Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0586, CVE-2012-0587, and CVE-2012-0588.
CVE-2012-0588	Apple Inc. Iphone Os	—	0.01	Mar 8, 2012	Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0586, CVE-2012-0587, and CVE-2012-0589.
CVE-2012-0587	Apple Inc. Iphone Os	—	0.01	Mar 8, 2012	Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0586, CVE-2012-0588, and CVE-2012-0589.
CVE-2012-0586	Apple Inc. Iphone Os	—	0.01	Mar 8, 2012	Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0587, CVE-2012-0588, and CVE-2012-0589.
CVE-2012-1262	Movabletype Movable Type Open Source	—	0.01	Mar 3, 2012	Cross-site scripting (XSS) vulnerability in cgi-bin/mt/mt-wizard.cgi in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the dbuser parameter, a…
CVE-2012-0318	Movabletype Movable Type Open Source	—	0.01	Mar 3, 2012	Multiple cross-site scripting (XSS) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to inject arbitrary web script or HTML via vectors involving templates, a different issue than CVE-2012-1262.
CVE-2012-0715	IBM Tivoli Change And Configuration Management Database	—	0.00	Mar 2, 2012	Cross-site scripting (XSS) vulnerability in the Gantt applet viewer in IBM Tivoli Change and Configuration Management Database (CCMDB) 7.2.1 and IBM ILOG JViews Gantt allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-1410	Kadu Kadu	—	0.00	Feb 29, 2012	Multiple cross-site scripting (XSS) vulnerabilities in the History Window implementation in Kadu 0.9.0 through 0.11.0 allow remote attackers to inject arbitrary web script or HTML via a crafted (1) SMS message, (2) presence message, or (3) status description.
CVE-2012-1212	Smwplus Smw\+	—	0.00	Feb 24, 2012	Cross-site scripting (XSS) vulnerability in the smwfOnSfSetTargetName function in extensions/SMWHalo/includes/SMW_Initialize.php in Semantic Enterprise Wiki (SMW+) 1.5.6, 1.6.0_2 and earlier allows remote attackers to inject arbitrary web script or HTML via the target parameter…
CVE-2012-1209	Fork Cms Fork CMS	—	0.00	Feb 24, 2012	Cross-site scripting (XSS) vulnerability in backend/core/engine/base.php in Fork CMS 3.2.4 and possibly other versions before 3.2.5 allows remote attackers to inject arbitrary web script or HTML via the highlight parameter.
CVE-2012-1208	Fork Cms Fork CMS	—	0.08	Feb 24, 2012	Multiple cross-site scripting (XSS) vulnerabilities in backend/core/engine/base.php in Fork CMS 3.2.4 and possibly other versions before 3.2.5 allow remote attackers to inject arbitrary web script or HTML via the (1) report parameter to blog/settings or (2) error parameter to…
CVE-2012-1000	Lepton Cms Lepton	—	0.00	Feb 24, 2012	Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index.php, or the (2) display_name or (3) email parameter to…
CVE-2012-1290	SAP Netweaver	—	0.00	Feb 23, 2012	Cross-site scripting (XSS) vulnerability in b2b/auction/container.jsp in the Internet Sales (crm.b2b) module in SAP NetWeaver 7.0 allows remote attackers to inject arbitrary web script or HTML via the _loadPage parameter.

CVE-2011-1396Mar 13, 2012
IBM
Maximo Asset Management
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the reportType parameter to an unspecified component.
CVE-2011-1395Mar 13, 2012
IBM
Maximo Asset Management
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in imicon.jsp in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the controlid parameter.
CVE-2012-0325Mar 9, 2012
Jenkins Project
Jenkins
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different…
CVE-2012-0324Mar 9, 2012
Jenkins Project
Jenkins
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different…
CVE-2012-0323Mar 9, 2012
Paul Lesniewsk
Autocomplete
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Autocomplete plugin before 3.0 for SquirrelMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3046Mar 9, 2012
OpenSUSE
openSUSE
risk 0.00cvss —epss 0.02
The extension subsystem in Google Chrome before 17.0.963.78 does not properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a "Universal XSS (UXSS)" issue.
CVE-2012-0590Mar 8, 2012
Apple Inc.
Iphone Os
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a drag-and-drop operation.
CVE-2012-0589Mar 8, 2012
Apple Inc.
Webkit
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0586, CVE-2012-0587, and CVE-2012-0588.
CVE-2012-0588Mar 8, 2012
Apple Inc.
Iphone Os
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0586, CVE-2012-0587, and CVE-2012-0589.
CVE-2012-0587Mar 8, 2012
Apple Inc.
Iphone Os
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0586, CVE-2012-0588, and CVE-2012-0589.
CVE-2012-0586Mar 8, 2012
Apple Inc.
Iphone Os
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0587, CVE-2012-0588, and CVE-2012-0589.
CVE-2012-1262Mar 3, 2012
Movabletype
Movable Type Open Source
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in cgi-bin/mt/mt-wizard.cgi in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the dbuser parameter, a…
CVE-2012-0318Mar 3, 2012
Movabletype
Movable Type Open Source
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to inject arbitrary web script or HTML via vectors involving templates, a different issue than CVE-2012-1262.
CVE-2012-0715Mar 2, 2012
IBM
Tivoli Change And Configuration Management Database
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Gantt applet viewer in IBM Tivoli Change and Configuration Management Database (CCMDB) 7.2.1 and IBM ILOG JViews Gantt allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-1410Feb 29, 2012
Kadu
Kadu
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the History Window implementation in Kadu 0.9.0 through 0.11.0 allow remote attackers to inject arbitrary web script or HTML via a crafted (1) SMS message, (2) presence message, or (3) status description.
CVE-2012-1212Feb 24, 2012
Smwplus
Smw\+
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the smwfOnSfSetTargetName function in extensions/SMWHalo/includes/SMW_Initialize.php in Semantic Enterprise Wiki (SMW+) 1.5.6, 1.6.0_2 and earlier allows remote attackers to inject arbitrary web script or HTML via the target parameter…
CVE-2012-1209Feb 24, 2012
Fork Cms
Fork CMS
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in backend/core/engine/base.php in Fork CMS 3.2.4 and possibly other versions before 3.2.5 allows remote attackers to inject arbitrary web script or HTML via the highlight parameter.
CVE-2012-1208Feb 24, 2012
Fork Cms
Fork CMS
risk 0.00cvss —epss 0.08
Multiple cross-site scripting (XSS) vulnerabilities in backend/core/engine/base.php in Fork CMS 3.2.4 and possibly other versions before 3.2.5 allow remote attackers to inject arbitrary web script or HTML via the (1) report parameter to blog/settings or (2) error parameter to…
CVE-2012-1000Feb 24, 2012
Lepton Cms
Lepton
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index.php, or the (2) display_name or (3) email parameter to…
CVE-2012-1290Feb 23, 2012
SAP
Netweaver
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in b2b/auction/container.jsp in the Internet Sales (crm.b2b) module in SAP NetWeaver 7.0 allows remote attackers to inject arbitrary web script or HTML via the _loadPage parameter.